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INTEGER DIVISION METHOD SECURE AGAINST COVERT CHANNEL 
__ ATTACKS — 



The invention concerns an integer division method 
secure against attacks of the covert channel type. The 
invention is in particular advantageous for performing 
division operation in a more general cryptographic method, 
for example a secret or public key cryptographic method. 
Such a cryptographic method can for example be implemented 
in electronic devices such as chip cards. 

The security of cryptographic methods lies in their 
ability to keep concealed the confidential data or data 
derived from confidential data that they manipulate. 

A malevolent user may possibly undertake attacks 
aimed as discovering in particular confidential data 
contained and manipulated in processing operations 
performed by the calculation device executing a 
cryptographic method. 

Amongst the best known attacks, simple or 
differential covert channel attacks can be cited. Covert 
channel attack means an attack based on a physical quality 
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measurable from outside the device and whose direct 
analysis (simple attack) or analysis according to a 
statistical method (differential attack) makes it possible 
to discover data contained and manipulated in processing 
5 operations performed in the device. These attacks have in 
particular been disclosed by Paul Kocher (Advances in 
Cryptology - CRYPTO' 99, vol. 1666 of Lecture Notes in 
Computer Science, pp. 388-397. Springer-Verlag, 1999). 

Amongst the physical quantities which can be 

10 exploited for these purposes, the execution time, the 
current consumption, the electromagnetic field radiated by 
the part of component used for executing the calculation, 
etc, can be cited. These attacks are based on the fact 
that, during the execution of a method, the manipulation of 

15 a bit, that is to say its processing by a particular 
instruction, leaves a particular imprint on the physical 
quantity in question, according to the value of this bit 
and/or according to the instruction. 

The cryptographic methods using as a basic operation 

2 0 a modular exponentiation operation of type Y = X D , X, Y and 
D being integer numbers, have been very widely studied 
during the past few years. By way of example, the RSA 
method, the key exchange according to Dif f ie-Hellman or the 
DSA signature method can be cited. Significant progress 

2 5 has been made in protecting these methods against covert 

channel attacks. 

On the other hand, no study has been made on making 
secure cryptographic methods using as an elementary 
operation an integer division of the type q = a div b and r 

3 0 = a mod b, a and b being two operands, q and r being 

respectively the quotient and the remainder of the integer 
division of a by b. a and/or b are secret data, for 
example elements of a key of the method. For example, the 
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method of Barrett (P. Barret, "Implementing the RSA public 
key encryption algorithm on a standard digital signal 
processing", vol 263 of Lecture Notes in Computer Science, 
pp. 311-323, Springer Verlag, 1987), the method of 
5 Quisquater (US patent 5,166,978, November 92) or the RSA 
method implemented according to the Chinese remainder 
theorem (J J Quisquater and C Couvreur, "Fast decipherment 
algorithm for RSA public key cryptosystem" , Electronics 
Letter, vol 18, 99. 905-907, October 1982) are 

10 cryptographic methods using an integer division as an 
elementary operation. 

A known method for implementing an integer division 
is the so called "paper/pencil" method. This method in 
practice repeats the method used when such an operation is 

15 performed by hand. This method is set out below. 

Given two data items a = (a m _i, a 0 ) of m bits and b 

= (b n -i, b 0 ) of n bits, n less than or equal to m and b n -i 

Y 0, the so called "paper/pencil" division method 
calculates the quotient q = a div b and the remainder r = a 

2 0 div b. For this purpose, the method successively performs 
several division of an integer A of n+1 bits by the integer 
b of n bits. It is necessary in practice to have 0 [A/b < 
2, which is the case whenever b n -i y 0. 

The remainder r is a number of no more than n bits 

25 since r < b. The quotient q for its part is a number of no 
more than m-n+1 bits since q = a div b [ a div (b n -i*2 n " 1 ) = 
a div 2 n_1 = (a m -i, a n -i) since b ja b n _ 1 *2 n " 1 and (a m - X/ 

a n -i) is a number of m-n+1 bits. At the end of the division 
method, the quotient q is stored in the m-n+1 least 

30 significant bits of the register containing initially the 
number a. The most significant bit of the remainder r is 
stored in a 1-bit register used as a carry during the 
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calculation and the n-1 least significant bits of the 
remainder r are stored in the n-1 most significant bits of 
the register initially containing the number a. 

As this work is carried out in base 2, the quotient 
5 bit of the integer division A div b has only two possible 
values: 0 or 1. Thus a simple way of performing the 
operation A div b consists of subtracting b from A and then 
testing the result: if the result of A - b is positive, 
then A div b = 1, if the result of A - b is strictly 
10 negative, then A div b = 0. 

The complete division method can then be written in 
the following manner: 

Input: a = (0, a m -i, a 0 ) 
b = (b n -i, b 0 ) 
15 Output: q = a div b and r = a mod b 

A = (0, a m _i, a m -n+i) 
For j = 1 to (m-n+1) , do: 

a <- SHLm-ifa, 1) ; a <- carry 
A <-SUB n (A, b) ; a <- a OR carry 
2 0 if (-,a = TRUE) then A < - ADD n (A, b) 

if not lsb(a) = 1 

End for 

Method 1 

In this method, and throughout the following, the 

2 5 following notations are used. 

The symbol "<-" and the notation y <- x are used to 
indicate the loading of the content of a register 
containing a data item x in a register whose content is 
called y. 

3 0 A is an n-bit word corresponding to the content of 

the n most significant bits of the register initially 
containing the data item a. A is of course modified at 
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each iteration. 

a indicates whether or not the subtraction has been 
performed wrongly (i.e. whether the quotient bit must be 
equal to 0 or to 1) . 

-no is the complement to 1 (also referred to as 
negation) of the variable a. TRUE is a constant, equal to 
1 in one example. 

lsb(a) is the lowest weight bit of the number a, also 
referred to as the least significant bit of a. 

SHL m+ i(a, 1) is an operation of shifting to the left 
by 1 bit in the register of m+1 bits containing the data 
item a, the bit leaving the register being stored in the 
variable carry and a bit equal to 0 being entered as the 
least significant bit of the register initially containing 
the data a. 

ADD n (A / b) is an operation of addition of the n bits 
of the number b to the n bits of the word A. It will be 
noted that the operation SHL n (a, 1) is equivalent to t'he 
operation ADD n (a, a). Naturally the addition ADD n ( a , b ) is 
performed by adding, in an appropriate register content 
addition circuit, the content of the two registers 
containing respectively A and b. 

SUB n (A, b) is an operation of subtraction of the 
number b from the word A. Naturally the subtraction 
SUB n (A, b) is performed by subtracting, in an appropriate 
circuit, the content of a register containing the data item 
b from the content of the register containing the word A. 

Finally, wrongly speaking but in particular for 
reasons of clarity, the same name will be used to speak of 
a register and its content. Thus the register A is in fact 
the register containing the data item A. 

In summary, the method 1 performs the following 
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steps : 

- if a <- SHLxn+iCa, 1) generates a carry (a = carry = 
1) , this means that a ra = 1 (before shifting) and therefore 
that b must be subtracted from A. 

- if a m+ i = 0 (before shifting) and if A <- SUB n (A / b) 
generates a carry (carry = 1) , this means that A - b (a 0 
before subtraction and therefore b must be subtracted from 
A. 

if a <- SHL m+1 (a / 1) does not generate a carry and 
if A <- SUB n (A, b) also does not generate a carry (that is 
to say if, after updating a, a is false ( or -,a is TRUE, 
then this means that A - b < 0 before subtraction and 
therefore that b would not have to be subtracted from A. 
In this case, the method performs an addition operation A 
<- ADD n (A, b) in order to restore the value of A. 

The method 1 is sensitive to covert channel attacks. 
This is because it is noted with method 1 that, at each 
iteration, according to the value of a, that is to say 
according to the value of the quotient bit which will be 
obtained during the current iteration, an addition ADD n (A, 
b) is performed or not. The number of operations performed 
during an iteration therefore varies according to the 
result bit obtained during the said iteration. However, 
the current consumption during each iteration and/or the 
duration of each iteration varies according to the number 
of operations performed. By measuring and studying for 
example the trace left by the component when the method is 
executed, it is then possible to determine bit by bit the 
value of the result bits. 

Another method also known for performing integer 
divisions is a variant of the "paper/pencil" method, 
referred to as a "non-restoring" (Non-Restoring Binary 
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Division Algorithm, in particular described in "J.J.F. 
Cavanagh, Digital Computer Arithmetic, McGraw-Hill Company, 
1984" . 

Input: a = (0, a m -!, a 0 ) 
b - (b n -i, b 0 ) 

Output : q = a div b and r = a mod b 

a' <- 1 ; A = (0, a m _i, a m _ n+ i) 

for j = 1 to (m-n+1) , do: 

a <- SHLxn+iCa, 1) ; cj <- carry 

if (a' = TRUE) then A < - SUB n (A, b) 

a <- a OR carry 
if not A < - ADD n (A, b) 

a <- a AND carry 
if (a = TRUE) then lsb(a) = 1 
a' < - a 
End For 

if (_,a = TRUE) then A <- ADD n (A, b) 

Method 2 

. Compared with method 1, the method uses a new 
variable a' to preserve of the value of a obtained at the 
previous iteration. Here, according to the value a, an 
addition or subtraction is performed. In other words, if 
during an iteration b is wrongly subtracted from A, then 
the value of A is restored during the following iteration 
rather than at the end of the current iteration as in the 
case of method 1 . 

Whatever the value of a during an iteration, the 
method performs the same number of operations during each 
iteration. This precaution is however not sufficient to 
protect the method against covert channel attacks. This is 
because, at each iteration, a shift operation a <- SHL m+ i(a, 
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1) is performed and then, depending on the value of a, an 
addition A <- ADD n (A, b) or a subtraction A <- SUB n (A, b) . 

However, the performance of a subtraction takes 
longer and consumes more energy than the performance of an 
5 additional operation. This is because, usually, the 
calculations means used for implementing the method do not 
include a subtraction circuit. The subtraction operation 
is performed by first of all calculating the complement to 

2 n of b, denoted b , then adding b to A, any carry of the 
10 addition being stored in the variable carry. This method 
of performing a subtraction is justified by the fact that, 

by definition of b , b + b = 2 n . This therefore gives A - 

b = A + Z> - 2 n = A + 6 mod (2 n ) , mod (2 n ) being a reduction 
modulo 2 n . Two operations, an operation of complement to 

15 2 n and an addition, are therefore in practice necessary for 
performing a subtraction. 

As the known integer division methods are not 
protected against covert channel attacks, any cryptographic 
method using the known integer division methods are 

2 0 therefore no longer protected against such covert channel 
attacks . 

In addition, statistically, 50% of the bits of the 
quotient obtained by a division method are equal to 0, 
which means that statistically the method compensates for 

2 5 one subtraction out of two made wrongly. The execution 

time of method 1 is therefore statistically at one point 
five times longer than the execution time of method 2. 

In the light of the problems of current cryptographic 
methods, an essential object of the invention is a novel 

3 0 method of performing an integer division, protected against 

covert channel attacks. 

A supplementary object of the invention is a method 
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of performing an integer division whose execution time is 
very short . 

A supplementary object of the invention is also a 
method of performing an integer division during which only 
the register containing the initial data item a is 
modified, replaced by the quotient and the result, any 
other register of the memory (and in particular the 
register initially containing the data item b) remaining 
unchanged at the end of the execution of the method. 

With this principal objective and these subsidiary 
objectives in view, the invention proposes a cryptographic 
method during which an integer division of the type q = a 
div b and r = a mod b is performed, with a a number of m 
bits, b a number of n bits with n less and or equal to m 
and b n _x non-zero, b n _i being the most significant bit of b, 
a method during which, at each iteration of a loop 
subscripted by i varying between 1 and m-n+1, a partial 
division is performed of a word a of n bits of the number a 
by the number b in order to obtain a bit of the quotient q. 

According to the invention, the same operations are 
performed at each iteration, whatever the value of the 
quotient bit obtained. 

Thus, with the method according to the invention, it 
is no longer possible to determine the bits of the result 
from the trace left during the execution of the method of 
invention. 

According to a first embodiment of the method of 
invention, at each iteration, an operation of addition of 
the number b from the word A and a subtraction of the 
number b from the word A are performed. 

According to this first embodiment, the method 
preferably comprises all the following steps: 

Input: a = (0, a m -i, a 0 ) 
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b = (bn-i, b 0 ) 

Output : q = a div b and r = a mod b 

a' <- 1 ; A = (0, a m -i, a m _ n+ i) 

For j = 1 to (m-n+1) , do: 

a <- SHLnii(a, 1) ; a <- carry 

A <- (a' )SUB m+1 (a, 1) + (— icr' ) ADD n (A, b) 

a <- (a AND a') / (a AND carry) / (a' AND carry) 

lsb(a) <- a 

a' <- a 

End For 

if (-.a) = TRUE) then A < - ADD n (A # b) 

In this embodiment, the above variable carry 
designates the carry resulting from the operation SUB n (A, 
b) when a' is equal to 1 and the carry resulting from the 
operation ADD n (A, b) when a' is equal to 0. 

According to a second embodiment of the method 
according to the invention, at each iteration, an operation 
is performed of addition either of the number b or of a 

number b complementary to the number b with the word A. 

Preferably, during each iteration, an updating is 
also performed of a first variable (a') according to the 
bit of the quotient produced, the said first variable (a' ) 
indicating whether, during the following iteration, the 
number b or the number b must be added to the word A. 

Preferably again, according to this embodiment, the 
method comprises all the following steps: 

Input: a = (0, a m _i, a 0 ) 
b = (b n -i, b 0 ) 

Output : q = a div b and r = a mod b 

A = (0, a m _!, ...,a m _ n+ i) ; a' <- 1 ; b <- CPL2n(b) 
For j = 1 to (m-n+1) , do: 



a <- SHL m+i (a / 1) ; a <- carry 

daddr <" b addr + a' (feaddr " b a ddr) 

A <- ADD n (A / d) 

a' <-(a' AND cr' ) / (a' AND carry)/ (a' AND carry) 
lsb(a) <- a' 
a' <- a' 
End For 

if (-ia) = TRUE) then A < - ADD n (A, b) 
According to a third embodiment of the method 
according to the invention, at each iteration, an operation 

of complement to 2 n of an updated data item (b or b ) or of 

a notional data item (c or c) is performed, and then an 
operation of addition of the updated data item with the 
word A. 

Preferably, during each iteration, an updating of a 
second variable (5) according to the bit of the quotient 
produced is also carried out at each iteration, the said 
second variable (5) indicating whether during the following 
iteration the operation of complement to 2n must be 
performed on the updated data item or on the notional data 
item. 

Preferably again, during each iteration, the updating 
of a third variable (0) is also performed indicating 
whether the updated data item is equal to the number b or 
to the complementary number b . 

Preferably again, according to this embodiment, the 
method comprises all the following steps: 

Input: a = (0, a m _!, a 0 ) 
b = (b n -i/ .../ b 0 ) 

Output : q = a div b and r = a mod b 

a' <- 1 ; p <- 1, y <- l ; A = (0, am-i, a m _ n+1 ) 
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for j = 1 to (m-n+1) , do: 

a <- SHL m+ i(a, 1) ; a <- carry 
5' <- a' / P 

daddr <- baddr + 5' (c a ddr ~ b a ddr) 

5 d <- CPL2 n (d) 

A <- ADD n (A, b) 

a' <- (a' AND a') / (a' AND carry)/ (a' AND 
carry) 

P <- -io ; y <- y / 5'; a' <- a' 
10 lsb(a) = a' 

end for 

if (-ip = TRUE) then b <- CPL2 n (b) 
if (-.y = TRUE) then c <- CPL2 n (c) 
if (-ia = TRUE) then A < - ADDn (A, b) 
15 The invention also concerns an electronic component 

comprising calculation means programmed to implement a 
method as described above, the calculation means comprising 
in particular a central unit associated with a memory 
comprising several registers for storing the data a and b. 
20 Finally, the invention also concerns a chip card 

comprising an integrated circuit as described above. 

The invention will be better understood and other 
characteristics and advantages will emerge from a reading 
of the following description of example embodiments of 
2 5 integer division methods according to the invention. 

In a first example of implementation of the 
invention, a method secure against covert channel attacks 
is implemented by eliminating the test operations (of the 
type if ... then ... otherwise ...) of method 2 and therefore the 
30 consequences of their presence. 

According to the invention, in method 2, the steps if 
... then ... otherwise are replaced by the following three 
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steps : 

A <- a'SUB n (A, b) + (— i<J' (ADD n (A, b) 

a <- (a AND a' ) /a AND carry) / a' AND carry) 

lsb(a) <- a 

5 In this way the following method according to the 

invention is obtained: 

Input : a = (0, a m -i, a 0 ) 

b = (b n -i, b 0 ) 
Output : q = a div b and r = a mod b 
10 A = (0, a m _i, a m -n+i) ; o' <- 1 

For j = 1 to (m-n+1) , do : 

a <- SHLm+iCa, 1) ; a <- carry 
A <- (<T')SUB n (A, b) + (— KT' ) ADD n (A, b) 
a <-(a' AND a') / (a' AND carry)/ (a' AND carry) 
15 lsb(a) <- a' 

a' <- a 
End for 

if (-.a = TRUE) then A < - ADD n (A, b) 

Method 3 

2 0 Method 3 is equivalent to method 2 in that it 

produces the same result from the same input data a and b. 
This is because, in method 2, when a' =1, the operation A 
<- SUBnCA, b) is performed and when a' =0, the operation A 
<- ADD n (A, b) is performed. The same applies in method 3 

25 since a' = -.(-ia 7 ). Moreover, in method 2, when cj' =1, 
the operation a <- a OR carry is performed, and when a' =0 
the operation a <- a AND carry is performed. This can be 
written in the form 

a <- (a') (a OR carry) + (-id' ) ( a AND carry) , 

30 which is logically equivalent to 

a <- (a AND a' ) / (a AND carry) / (a' AND carry) 
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Finally, in method 2, by performing the operation 
a <- SHL m+ i(a, 1), the least significant bit of a is fixed 
at 0 (in other words lsb(a) = 0) and then, at the end of 
the current iteration, if a = 1, the operation lsb(a) = 1 
is performed, otherwise, if a = 0, lsb(a) is not modified. 
It is therefore possible to easily replace the operation 
{if a = 1, lsb(a) + 1} by the operation lsb(a) = a, 
whatever the value of a. 

Method 3 is not equivalent to method 2 but is also 
secure vis-a-vis covert channel attacks. This is because 
the method contains no test operation of the type if .... 
then .... otherwise, and the same operations are performed at 
each iteration, whatever the bit of the input data used 
and/or the result bit obtained during an iteration. It is 
therefore impossible, from the trace left by the component, 
to separate the various iterations and to determine the 
bits of the input data and/or of the output data. 

In a second example of implementation of the 
invention, method 3 according to the invention is modified 
by limiting in addition the execution time of the method. 

As seen previously, in order to perform a subtraction 
operation A <- SUB n (A, b) , in practice an operation b = 
CPL2 n (b) of complement to 2 n of the number b is performed 
and then an addition operation of the type A <- ADD n (A, 
b) . 

Which means, for method 3, that at each iteration an 
operation of complement to 2 n is performed, in addition to 
an addition operation A < - ADD n (A, b) or A <- ADD n (A, b) . 

In order to reduce the execution time, the number of 
operations of complement to 2 n b <- CPL2 n (b) is limited, an 
additional memory space is used to store the value of b at 



the start of the method. It then suffices to add b to A 
in order to effect A <- SUB n (A / b) or to add b to A in 
order to effect A <- ADD n (A, b) . This also makes it 
possible to perform a single addition operation by 
iteration, so that the execution speed is increased 
further . 

Two registers b and b are used here in order to 
store respectively the data b and b and having the address 

baddr and fe a ddr- The register whose content is added to the 
content of the register A during a given iteration is 
called d and its .address is called d a ddr- In practice, at 
each iteration, the register d is either the register 
containing b or the register containing b . As in method 
.3, the variable a' is used to keep a trace of what has 
happened during a given iteration and to determine whether 
an addition or a subtraction must be performed at the 
following iteration. By grouping together the whole, the 
following method 4 is finally obtained : 

Input : a = (0, a m _!, a 0 ) 
k> = (b n -i/ b 0 ) 

Output : q = a div b and r = a mod b 

A = (0, am-!, a m - n +i) ; a' <- 1 ; b <- CPL2 N (b) 
For j = 1 to (m-n+1) , do: 

a <- SHLm+iCa, 1) ; a <- carry 

daddr <- baddr + C7 ' ( b a ddr ~ b a ddr) 

A <- ADD n (A, d) 

a <-(cr' AND a') / (a' AND carry)/ (a' AND carry) 
lsb(a) <- a 

a 7 <- a 
End For 

if (-.a = TRUE) then A < - ADD n (A, b) 
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Method 4 

In a third example of implementation of the 
invention, method 4 according to the invention is modified 
by limiting the memory space used for implementing the 
method. 

For this purpose, the value of b complementary to b, 
the result of the operation CPL2 n (b) / is stored in place of 
the initial value of b, in the same register. The 
subtraction operation is thus performed by replacing b with 

its complement b in the same register and then adding to A 
the content of the said register. 

In addition, the calculation of unnecessary values of 

b is avoided (this is the case when two successive 
iterations j and j+1 both use the same addition, either A 

<- A+b or A <- A + b). For this purpose, another register 
c is used whose contents, indifferent or notional, is 
replaced by its complement to 2 n when it is not necessary 
to replace the content of the register initially containing 
b (that is to say when two successive iterations use either 
b or b . In practice, the register c is any register of 
the memory, with the same size as the register containing 
b, but different from the registers initially containing a 
or b. The register c can also be used for performing other 
operations. At the end of the method of the invention, the 
register c contains its initial value, that is to say that 
which it had before execution of the method. The initial 
value of the content of the register c is completely 
indifferent since this value is not actually used in the 
context of the method according to the invention. 

The term d addr is given to the address of the register 
containing the value which will be replaced by its 
complement to 2 n during the current iteration : d ad dr is 
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either b a ddr if the content of the register initially- 
containing b must be complemented to 2 n , or c a ddr otherwise. 
The term d is given to the content of the register whose 
address is d ad dr- 

Use is also made of the variables p and y to keep a 
trace of the state of the value contained in the registers 
located at the address b a ddr and c ad dr- This state is either 
the original value or the original value complemented to 
2 n . p = 1 (or respectively y = 1) is chosen when the value 
located at the address b ad dr (or respectively c ad dr) is the 
original value, and p = 0 (or respectively y = 0) when the 
value located at the address b ad dr (or respectively c ad dr) is 
the complement to 2 n of the original value. The variable 
a' is used to keep a trace of the value of the variable a 
at the previous iteration. As before, a' = 0 means that an 
unnecessary subtraction (A <- SUB n (A, b) = ADD n (A, b) ) was 
performed at the previous iteration and that an addition 
operation A <- ADD n (A, b) must be performed during the 
current iteration in order to compensate. Conversely, a' = 
1 means that no subtraction was performed wrongly during 
the previous iteration and that a subtraction must be 
performed during the current iteration. 

The following truth table is obtained : 



Previous values 
a' p y 



Updated values 
P y 
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110 | 0 0 

111 | 01 
The following are derived from this : 

P <- -icr' 

5 y <- y / a' / P 

By grouping together the whole, the following method 
5 is finally obtained : 

Input : a = (0, a m -i, a 0 ) 
b = (b n -i, b 0 ) 
10 Output: q = a div b and r = a mod b 

a' <- 1 ; p <- l, y <- 1 ; A = (0, 8^-1, a m _ n+1 ) 
for j = 1 to (m-n+1) , do: 

a <- SHLm+iCa, 1) ; <r <- carry 

5 <- a' I p 

15 daddr <- baddr + 5 (c addr - b a ddr) 

d <- CPL2 n (d) 
A < - ADD n (A, b) 

a <- (a AND a' ) / (a AND carry)/ (a' AND carry) 
P <- -icy' ; Y <~ Y / S; a' <- a 
20 lsb(a) = a 

end for 

if (-.p = TRUE) then b <- CPL2 n (b) 
if (-iY = TRUE) then c <- CPL2 n (c) 
if (-ia = TRUE) then A < - ADD n (A, b) 
25 Method 5 

In general terms, the essential advantage of the 
invention compared with the other known methods performing 
the same operation is that it is secure vis-a-vis covert 
channel attacks, and in particular attacks of the SPA type. 
3 0 In addition, in order to be implemented, the method 
according to the invention requires no more resources (in 
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particular in terms of execution time and memory space) 
than the known unprotected integer division methods. 



